Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce
list - details at MailingLists
plain text
Foswiki recommends use of Apache configuration files for configuring the server whenever possible. The example files included with Foswiki, and any configurations generated by the
ApacheConfigGenerator all specify
AllowOverride None
for the
/pub
directory. If these examples are not used, or the server requires use of
.htaccess
files due to other site requirements, then
Windows hosted Apache servers could be vulnerable.
Note: This alert is different from the TWiki version. Foswiki recommends that this issue be corrected solely with a configuration change. Software patching is not required. On most platforms there is no need to restrict files named with a trailing dot.
Foswiki has limited vulnerability to this attack vector. Systems are only vulnerable when the following conditions exist:
- Foswiki is running on a Windows + Apache web server (Linux based installations are not vulnerable)
- AND the Apache server has been configured to enable
.htaccess
file processing in the pub/
directory (not recommended)
Severity Level
Severity 1 issue: The web server can be compromised
The severity level was assigned by the Foswiki
SecurityTaskTeam as documented in
SecurityAlertProcess
MITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2014-7237 to this vulnerability.
Vulnerable Software Versions
- Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9
To be fixed in Foswiki 2.0
Attack Vectors
Use an HTTP POST request towards a Foswiki on Windows server to upload a specially named file (typically port 80/TCP). Prior authentication is typically required.
Impact
A remote attacker can upload a '.htaccess' file that may make uploaded files executable on the server.
Details
.htaccess
files allow server options and access rules to be overridden "in-directory". Any setting of
"AllowOverride"
other than
"None"
in the Apache configuration will cause Apache to look for and apply overrides from
.htaccess
files located in the directory of the file that it is about to process. If there is any path for a remote user to upload an
.htaccess
file, then the server is potentially subject to compromise.
Foswiki provides a default
{UploadFilter}
that blocks attempts to upload the
.htaccess
file. The vulnerability occurs because the Windows file system will strip any file of the "trailing dot" when the file is written to disk.
- Attacker creates a
.htaccess
file that enables execution of a particular file
- Attacker uploads the file as
.htaccess.
(note trailing dot)
- Foswiki
UploadFilter
fails to block the file, due to the trailing dot.
- Foswiki saves file to disk, Windows writes the file named
.htaccess
stripping the trailing dot
- Attacker then uploads a file which can then be executed due to the rules override.
Countermeasures
No action is necessary on non-Windows server platforms
- Update the Foswiki
{UploadFilter}
configuration to block files with a trailing dot. (Note the added ? following the |cgi)
)
"Security and Authentication" Section,
- "Environment" Tab, Reveal the "Expert" settings and change the {UploadFilter} setting, adding a ? after the cgi).
If configure is not convenient, it is also possible to update the
lib\LocalSite.cfg
file directly.
Before:
$Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$';
After:
$Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi)?)$';
After this change is applied, the file
.htaccess.
will be renamed to
.htaccess..txt
during upload, and would be ignored by Apache.
Other recommendations
- Review Apache configuration files for possible misconfiguration:
- The
/pub
directory should specify AllowOverride None
- Look for any instances of the
AccessFileName
directive. If .htaccess has been changed to some other name, the UploadFilter
must be changed to match that name.
- Find and remove any
.htaccess
files from directories below the /pub directory.
- If any files are found, review the content of any other attachments that may have been made executable by that file.
Authors and Credits
Action Plan with Timeline
- 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
- 2014-10-07 - Peter Thoeny notifies Foswiki project and sends private alert to TWiki community.
- 2014-10-07 - GeorgeClark verifies issue.
- 2014-10-07 - GeorgeClark sends preliminary alert to Foswiki-announce list with recommended configuration changes.
- 2014-10-08 - GeorgeClark, CrawfordCurrie, MichaelDaum, JanKrueger review issue, agree that a code fix is not required. A simple configuration change is sufficient.
- 2014-10-08 - Security team creates advisory with hotfix